Closed
Bug 117307
Opened 23 years ago
Closed 23 years ago
Crash in error handler on invalid JavaScript
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bht237, Assigned: khanson)
Details
(Keywords: crash, testcase)
Attachments
(4 files)
Build ID: 2001122803 Mozilla crashes on pages that are "translated" by Google. I guess authors cannot do much about this because the original pages are compliant and error-free. I have saved a "translated" index page and reduced it to a rather primitive testcase. I have done my best to make it as easy as possible; the original page was rather complex. Hope this helps to make Mozilla the most stable browser on the planet!
Confirming on Linux build 2001122821. Could someone bump up the Severity of this? Thank's for testing mozilla.
Comment 4•23 years ago
|
||
crashes 2001122608 Linux CC: stephend@netscape.com, for talkback retrieval, please (TB1017405E)
Comment 5•23 years ago
|
||
Over to JS engine (visual inspection of testcase suggests that the c.caller business is to blame.
Assignee: asa → rogerl
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Comment 7•23 years ago
|
||
removing CC Stephend : We have already a stack trace win2k stack trace : fun_getProperty(JSContext * 0x03c8b488, JSObject * 0x03d87840, long -13, long * 0x0012de1c) line 935 + 12 bytes js_GetProperty(JSContext * 0x03c8b488, JSObject * 0x03d87840, long 15255704, long * 0x0012de1c) line 2447 + 149 bytes js_Interpret(JSContext * 0x03c8b488, long * 0x0012dfcc) line 2630 + 1998 bytes js_Invoke(JSContext * 0x03c8b488, unsigned int 3, unsigned int 2) line 849 + 13 bytes js_InternalInvoke(JSContext * 0x03c8b488, JSObject * 0x02bfee18, long 64518208, unsigned int 0, unsigned int 3, long * 0x04028100, long * 0x0012e0f4) line 924 + 20 bytes JS_CallFunctionValue(JSContext * 0x03c8b488, JSObject * 0x02bfee18, long 64518208, unsigned int 3, long * 0x04028100, long * 0x0012e0f4) line 3405 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x03c650a8, void * 0x02bfee18, void * 0x03d87840, unsigned int 3, void * 0x04028100, int * 0x0012e240, int 1) line 1011 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03ffc160, nsIDOMEvent * 0x04028068) line 180 + 77 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03f804d0, nsIDOMEvent * 0x04028068, nsIDOMEventTarget * 0x03c8b250, unsigned int 8, unsigned int 7) line 1205 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03ffc0a0, nsIPresContext * 0x03effa38, nsEvent * 0x0012ea30, nsIDOMEvent * * 0x0012e91c, nsIDOMEventTarget * 0x03c8b250, unsigned int 7, nsEventStatus * 0x0012ec34) line 1878 + 36 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x03c8b240, nsIPresContext * 0x03effa38, nsEvent * 0x0012ea30, nsIDOMEvent * * 0x0012e91c, unsigned int 1, nsEventStatus * 0x0012ec34) line 636 NS_ScriptErrorReporter(JSContext * 0x03c8b488, const char * 0x0401dae0, JSErrorReport * 0x0012ec84) line 170 js_ReportCompileErrorNumber(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSCodeGenerator * 0x00000000, unsigned int 0, const unsigned int 109) line 577 + 15 bytes WellTerminated(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, int -1) line 258 + 19 bytes Statement(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012ee54) line 1723 + 32 bytes Statements(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012ee54) line 897 + 17 bytes FunctionBody(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSFunction * 0x0401d440, JSTreeContext * 0x0012ee54) line 555 + 17 bytes FunctionDef(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012efe4, int 0) line 731 + 21 bytes FunctionStmt(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012efe4) line 867 + 19 bytes Statement(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012efe4) line 1182 + 17 bytes Statements(JSContext * 0x03c8b488, JSTokenStream * 0x0401d008, JSTreeContext * 0x0012efe4) line 897 + 17 bytes js_CompileTokenStream(JSContext * 0x03c8b488, JSObject * 0x02bfee18, JSTokenStream * 0x0401d008, JSCodeGenerator * 0x0012efe4) line 392 + 17 bytes CompileTokenStream(JSContext * 0x03c8b488, JSObject * 0x02bfee18, JSTokenStream * 0x0401d008, void * 0x03c8b508, int * 0x00000000) line 2831 + 24 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x03c8b488, JSObject * 0x02bfee18, JSPrincipals * 0x03edab88, const unsigned short * 0x0401cec0, unsigned int 114, const char * 0x0401cdd0, unsigned int 29) line 2911 + 23 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03c8b488, JSObject * 0x02bfee18, JSPrincipals * 0x03edab88, const unsigned short * 0x0401cec0, unsigned int 114, const char * 0x0401cdd0, unsigned int 29, long * 0x0012f1a4) line 3353 + 33 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03c650a8, const nsAString & {...}, void * 0x02bfee18, nsIPrincipal * 0x03edab84, const char * 0x0401cdd0, unsigned int 29, const char * 0x00000000, nsAString & {...}, int * 0x0012f210) line 676 + 85 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x0401cd10, const nsAFlatString & {...}) line 576 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x0401cd10) line 483 + 22 bytes nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x03eda9d0, nsIDOMHTMLScriptElement * 0x0401ca34, nsIScriptLoaderObserver * 0x0401ca38) line 426 + 15 bytes nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x0401ca08, nsIDocument * 0x03ee4da0, int 0, int 1) line 159 nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * const 0x03ee5288, nsIContent * 0x0401ca08, int 0, int 0) line 3823 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5115 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03eda828, const nsIParserNode & {...}) line 3476 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x03ffc848) line 3786 + 22 bytes CNavDTD::HandleScriptToken(const nsIParserNode * 0x03ffc848) line 2233 + 12 bytes CNavDTD::OpenContainer(const nsCParserNode * 0x03ffc848, nsHTMLTag eHTMLTag_script, int 1, nsEntryStack * 0x00000000) line 3437 + 12 bytes CNavDTD::HandleDefaultStartToken(CToken * 0x03ed9478, nsHTMLTag eHTMLTag_script, nsCParserNode * 0x03ffc848) line 1307 + 20 bytes CNavDTD::HandleStartToken(CToken * 0x03ed9478) line 1720 + 22 bytes CNavDTD::HandleToken(CNavDTD * const 0x03d3bf20, CToken * 0x00000000, nsIParser * 0x03ed9208) line 886 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x03d3bf20, nsIParser * 0x03ed9208, nsITokenizer * 0x03fdae70, nsITokenObserver * 0x00000000, nsIContentSink * 0x03eda828) line 522 + 20 bytes nsParser::BuildModel() line 1980 + 34 bytes nsParser::ResumeParse(int 1, int 0) line 1846 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x03ed920c, nsIRequest * 0x03ed59e8, nsISupports * 0x00000000, nsIInputStream * 0x03f8cbb0, unsigned int 0, unsigned int 527) line 2469 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x03ed56a8, nsIRequest * 0x03ed59e8, nsISupports * 0x00000000, nsIInputStream * 0x03f8cbb0, unsigned int 0, unsigned int 527) line 241 + 46 bytes nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x03f8ce80, nsIRequest * 0x03ed59e8, nsISupports * 0x00000000, nsIInputStream * 0x03edf8d0, unsigned int 0, unsigned int 527) line 56 + 51 bytes nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x03ed59ec, nsIRequest * 0x03ee0084, nsISupports * 0x00000000, nsIInputStream * 0x03edf8d0, unsigned int 0, unsigned int 527) line 2427 + 57 bytes nsOnDataAvailableEvent::HandleEvent() line 193 + 70 bytes nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03fdb10c) line 116 PL_HandleEvent(PLEvent * 0x03fdb10c) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00e75690) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x000400fe, unsigned int 49403, unsigned int 0, long 15160976) line 1071 + 9 bytes USER32! 77e02e98() USER32! 77e030e0() USER32! 77e05824() nsAppShellService::Run(nsAppShellService * const 0x00e2bd60) line 303 main1(int 2, char * * 0x003c6c70, nsISupports * 0x00000000) line 1264 + 32 bytes main(int 2, char * * 0x003c6c70) line 1594 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87d08()
Comment 8•23 years ago
|
||
Reassigning to Kenton, and cc'ing Brendan on this crash. I'm not sure if this is JS Engine's fault or not, since I cannot produce an example that crashes in the standalone JS shell. bht@actrix.gen.nz: thank you for providing a reduced testcase. I've been able to reduce the crash even further, to this: <HTML><HEAD><SCRIPT> window.onerror=f; function f() {f.caller;} </script></head><BODY><SCRIPT> causeErr(); function causeErr() {1=2;} </script></body></html> I will attach this below, along with my stack trace on WinNT.
Assignee: rogerl → khanson
Comment 9•23 years ago
|
||
Comment 10•23 years ago
|
||
Comment 11•23 years ago
|
||
On Linux, it crashes at: http://lxr.mozilla.org/mozilla/source/js/src/jsfun.c#935 The code here is 934 if (fp && fp->down && fp->down->fun) 935 *vp = fp->down->argv[-2]; fp->down->argv = 0x0 So of course it gets a segfault.
Comment 12•23 years ago
|
||
Continuing on my last comment, I thought this info might be somewhat useful. fp = {callobj = 0x0, argsobj = 0x0, varobj = 0x0, script = 0x87234c0, fun = 0x8288260, thisp = 0x848ca08, argc = 3, argv = 0x8736df4, rval = -2147483647, nvars = 0, vars = 0x8736e00, down = 0xbfffe260, annotation = 0x0, scopeChain = 0x848ca08, pc = 0x87234f7 "5", sp = 0x8736e08, spbase = 0x8736e04, sharpDepth = 0, sharpArray = 0x0, flags = 0, dormantNext = 0x0} fp->down = {callobj = 0x0, argsobj = 0x0, varobj = 0x8691e30, script = 0x0, fun = 0x87331d0, thisp = 0x0, argc = 0, argv = 0x0, rval = 0, nvars = 0, vars = 0x0, down = 0xbfffe4a0, annotation = 0x0, scopeChain = 0x8691e30, pc = 0x0, sp = 0x8736e00, spbase = 0x0, sharpDepth = 0, sharpArray = 0x0, flags = 0, dormantNext = 0x0} fp->down->fun = {nrefs = 1, object = 0x8691e30, native = 0, script = 0x0, nargs = 0, extra = 0, nvars = 0, flags = 0 '\000', spare = 0 '\000', atom = 0x87331b0, clasp = 0x0} Hope this helps.
Comment 13•23 years ago
|
||
Comment 14•23 years ago
|
||
Fixed. The bug won't reproduce in the JS shell without a native function (shell command) that emulates nsJSContext::CallEventHandler, which calls JS_CallFunctionValue. /be
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 15•23 years ago
|
||
Many thanks for fixing this so quickly!
Comment 16•23 years ago
|
||
Verified FIXED - Using Mozilla trunk binaries 20020102xx on WinNT, Linux, Mac9.1. Both testcases now load without crashing. Instead, the proper error messages are displayed in the JavaScript Console -
Status: RESOLVED → VERIFIED
Comment 17•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•